The J2EE security model addresses authentication, authorization, delegation, and data integrity for the components that make up a J2EE environment. This environment includes J2EE applications—Web components, such as servlets and JSP files, EJB components, Java 2 connectors, and JavaMail—and secure interoperability requirements. If all that sounds like buzzword bingo to you, then this sample book chapter will help you grasp the essentials.

This chapter is from the book

The J2EE platform has achieved remarkable success in meeting enterprise needs, resulting in its widespread adoption. The security
infrastructure plays a key role in the e-business strategy of a company. J2EE provides a standard approach to allow enterprise
applications to be developed without hard-coded security policies. Instead, declarative policies are bundled with an assembled
set of application components. Security policies specified using this security model are enforced in any operational environments
and deployed in any of the application servers that host them.

The J2EE security model addresses authentication, authorization, delegation, and data integrity for the components that make
up a J2EE environment. This environment includes J2EE applicationsWeb components, such as servlets and JSP files, EJB components, Java 2 connectors, and JavaMailand secure interoperability requirements. The J2EE security model also considers
the organizational roles that define and enforce these security policies:

Application Component Provider

Application Assembler

Deployer

System Administrator

J2EE Product Provider

This chapter provides an overview of J2EE, exploring the J2EE security model. The chapter explains how various J2EE components
are tied into enterprise security, describes how the J2EE security model addresses the security of J2EE components, and identifies
the responsibility of each of the organizational roles in enforcing security. Declarative security policies and programmatic
security APIs are explained, in addition to the security requirements on JavaMail, Java connectors, client applications, and
containers. This chapter also outlines the secure interoperability requirements that exist between various application servers.

Since its inception, one of the top requirements of the J2EE security model has been to support secure application deployments
that do not rely on private networks or other application runtime isolation techniques. This allows application portability
between containers. Another requirement has been to reduce the application developer's burden by delegating the security responsibilities
to the J2EE roles. Finally, the policy-driven security model enables much of security enforcement to be handled without custom
code.

3.1 Enterprise Systems

An enterprise Java environment, or WAS environment, is nominally viewed as a three-tier architecture (see Section 2.1.2 on page 25). Clients access the information made available through middle-tier systems, which connect to the back-end enterprise
systems, as shown in Figure 3.1.

In an enterprise Java environment, the clients can be both Java based and non-Java based. Clients access the servers over
a variety of protocols, including HTTP, IIOP, SSL, and other messaging protocols accessible through JMS. These clients connect to and access a J2EE-based server environment providing a hosting system for the enterprise components.
These components constitute a presentation layer in the form of servlets, JSP files, HTML files, or XML documents. Alternatively, the components can abstract out the business logic in the form of enterprise beans. Clients may
also submit their requests by using e-mail protocols through the JavaMail framework or connect to naming and directory services
by using the Java Naming and Directory Interface (JNDI). In an enterprise environment, middle-tier applications are likely to connect to back-end enterprise information systems
(EISs). Examples of back-end EISs include relational database management systems (RDBMSs) and ERP applications.

Before delving into the security implications of this architecturally rich environment, it is important to understand the
technologies that comprise a J2EE environment.